Proposed Guidance Regarding Adoption or Listing of Virtual Currencies

Introduction

In July 2014 the New York State Department of Financial Services (“DFS”) released for public comment a proposed regulatory framework for virtual currency firms and in the summer of 2015 the Department finalized its regulations before beginning to issue licenses that fall. Since 2015, DFS has granted two dozen such licenses and charters to ensure that New Yorkers have a well-regulated way to access the virtual currency marketplace and that New York remains at the center of technological innovation and forward-looking regulation. To provide regulatory clarity and efficiency, and to ensure that our approach to regulating virtual currency businesses reflects the realities of an evolving market, we are reviewing our virtual currency regulations and the manner in which they are implemented. In the nearly five years since DFS issued regulations on this topic, some of our regulated virtual currency licensees (“VC licensees”), including both those holding BitLicenses and those holding trust charters, have asked to list new virtual currencies (“coins”) in addition to those included in their initial applications to DFS. Over that time period, there has been exponential and continued growth in the number of coins available in the market.

To enhance efficiency and enable VC licensees to offer and use new coins in a timely fashion, DFS is seeking comments from all interested parties and the general public regarding the following two proposed coin adoption or listing options that DFS wishes to make available to VC licensees. Comments should be submitted by January 27, 2020 to [email protected]. (Please use “Proposed Coin Listing Policy Framework” in the subject line. Note that comments may be subject to public inspection, and should not include any sensitive or confidential information.)

A proposed DFS web-page that will contain a list of all coins that are permitted for the Virtual Currency Business Activities of the VC licensees, without the prior approval of DFS, which list may be updated from time to time, as long as such listed coins have not been subject to any modification, division, or change after their listing on the DFS web-page1; and

A proposed model framework for a coin-listing or adoption policy that can be tailored to a VC licensee‘s specific business model and risk profile to create a firm specific coin listing or adoption policy (a “company coin-listing policy”) that, if approved by DFS, will enable the licensee to self-certify the listing or adoption of new coins in addition to those listed under 1 above, without DFS’s prior approval.

Once a VC licensee’s coin-listing policy is approved by DFS, subsequently, the licensee will be able to self-certify to DFS that its proposed adoption or listing of new coins comply with the requirements of its DFS-approved company coin-listing policy, and provide written notice to DFS of its intent to offer and use any such new coins, including details of the usage and offering of such coins, prior to using or offering such coins. In such case, no prior DFS approval will be required, only a prior notice.

VC licensees that do not have DFS-approved company coin-listing policies are required to seek DFS’s prior approval with respect to any coin other than those listed under 1 above, if they have not already received DFS’s prior approval.

All VC licensees are required to keep DFS informed, no later than at the time of their next quarterly filing, of all coins to be used or offered in connection with their Virtual Currency Business Activities.

* * * * *

Proposed Model Framework for the Creation of Company Coin-Listing Policies

A VC licensee’s coin-listing policy should consist of robust procedures that comprehensively address all steps involved in the review and approval of virtual currencies in connection with the Virtual Currency Business Activities of the licensee. The policy must be tailored to the VC licensee’s specific business model, operations, customers and counterparties, geographies of operations, service providers, and the use, purpose and specific features of the coins being considered. It should also include procedures for notifying DFS of new coin listings. A company coin-listing policy should, at a minimum, contain and be based on the following attributes:

I. Governance

The VC licensee should ensure that:

The board of directors of the VC licensee or an equivalent governing authority of the licensee approves the company coin-listing policy;

The board of directors of the VC licensee or an equivalent governing authority of the licensee reviews and independently makes decisions to approve or disapprove each new coin;

Any and all conflicts of interest in connection with any review and decision-making process with respect to coins are considered and addressed to ensure that those involved in the review and decision-making process regarding a particular coin have no conflicts of interest;

There are minutes of the board of directors or equivalent governing authority of the licensee, including the names of the participants and all documents reviewed by the participants in connection with each approval or disapproval of coins, such as reviews and sign offs by all stakeholders, such as the legal, compliance, cybersecurity, and operations teams of the licensee, including an assessment of all associated risks; and

The licensee keeps records of the application of the company coin-listing policy to each new coin, including minutes of the board of directors or the equivalent governing authority and all related documentation, such as the reviews and sign offs of all stakeholders, readily available for review by DFS.

II. Risk

Before adopting or listing any new coin, a VC licensee should conduct and document a full risk assessment of such coin in a way that is entirely free of conflicts of interest, including the following risks:

Risks associated with the creation or issuance, governance, usage or design of any new coin through due diligence to ensure that any new coin is created or issued by a legitimate and reputable entity or entities for lawful and legitimate purposes and not for evading compliance with applicable laws and regulations, such as money laundering or other illegal activities, and that the process is subject to a strong governance and control framework;

Operational risks associated with any new coin, including the resulting demands on the licensee’s resources, infrastructure, and personnel, as well as operational capacity for continued customer on-boarding and customer support based on reasonable forecasts considering the overall operations of the licensee;

Risks associated with any technology or systems enhancements or modification requirements necessary to ensure timely adoption or listing of any new coin;

Cyber security risk, or risks relating to theft;

Market risks, including concentration of coin holdings or control by a small number of individuals or entities, price manipulation, and fraud;

Risks relating to code defects and breaches and other threats concerning any new coin and its supporting blockchain, practices and protocols that apply to them, including an escalation process to report such defects, breaches and threats to the senior management and the board of directors or an equivalent governing authority for further action;

Risks relating to potential non-compliance with the requirements of the VC licensee’s supervisory agreement with DFS as a result of the adoption of new coins, including the capital requirement of the licensee in accordance with 23 NYCRR 200.8;

Legal risks associated with any new coin, including any pending or potential regulatory, criminal, or enforcement action relating to the issuance, distribution, or use of the new coin, such as actions relating to coins that may facilitate the obfuscation or concealment of the identity of a customer or counterparty, or coins used to circumvent laws and regulations;

Regulatory risks, including risks related to compliance with all applicable laws, rules and regulatory guidances, such as guidances issued by the U.S. Securities and Exchange Commission, the U.S. Commodity Futures Trading Commission, and the U.S. Department of the Treasury’s Financial Crimes Enforcement Network;

VC licensees should ensure that an independent audit review of all associated risks relating to a new coin is conducted to ensure that all risks have been assessed and addressed.

III. Monitoring

After a new coin is adopted or listed, the VC licensee should have policies and procedures in place to monitor the newly adopted or listed coin, to ensure that the licensee’s continued adoption or listing of the coin remains prudent. This includes:

Periodic re-evaluation of the coin, including whether material changes have occurred, with a frequency and level of scrutiny tailored to the risk level of the particular coin;

Adoption, documentation, and implementation of control measures to manage risks associated with the coin; and

The existence of a process for de-listing the coin, with respect to some or all Virtual Currency Business Activities of the licensee, including notice to affected customers and counterparts in the case of such de-listing.

* * * * *

This model framework is not intended to be exhaustive, and may be updated from time to time in response to new information, evolving markets, and additional experience. Additionally, the model framework is not intended to limit the scope or applicability of any law or regulation. While we believe that well-crafted coin-listing policies will help avoid the potential adoption or listing of coins that are inconsistent with DFS regulations, DFS retains the right to object to the adoption or listing of any self-certified coin before or after the listing goes into effect, and to require that they be delisted.